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Abstract 

Let E be an elliptic curve over a finite field Wg of q elements, with 
t~^ . gcd(g, 6) = 1, given by an affine Weierstrafi equation. We also use 

'nT I x{P) to denote the x-component of a point P = {x{P),y{P)) G E. 

lO ' We estimate character sums of the form 

o 

O . N 



y^x{x{'>T'P)x{'>T'Q)) aiid 




ra=l 

X 

^ ■ on average over all IFg rational points P, Q and R on E, where x is 

a quadratic character, ?/; is a nontrivial additive character in Wg and 
(ci, . . . ,Cfc) G IF is a non-zero vector. These bounds confirm several 
recent conjectures of D. Jao, D. Jetchev and R. Venkatesan, related 
to extracting random bits from various sequences of points on elliptic 
curves. 
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1 Introduction 

1.1 Motivation 

Many standard pseudorandom number generators based on finite fields and 
residue rings have proved to be insecure, see [I1I21EII11E1EIIS1E1 [IDl [IH [151 [IS] • 
Partially motivated by this and partially because this is of intrinsic interest 
for elliptic curve cryptography, several constructions of pseudorandom gen- 
erators from elliptic curves have been proposed, see [18] for a survey of such 
constructions and results. 

Several new pseudorandom generators from elliptic curves have recently 
been suggested by D. Jao, D. Jetchev and R. Venkatesan [13]. Giving a rig- 
orous analysis of these constructions is the primal goal of this paper. We also 
show how one of the most powerful number theoretic techniques, exponen- 
tial and character sums, can be used to address these and similar questions, 
which can be of independent interest. 

Finally, we note that although elliptic curves provide a very promising 
source of cryptographically secure bits, as the recent result of yij shows, 
they also have to be used with great care. 

1.2 Results 

We fix a finite field Wq of q elements and an elliptic curve E over Wg given 
by an afiine WeierstraB equation 

E: Y^ = X^ + aX + b (1) 



with some a,b G Fg, see [T9] . 

We recall that the set of all points on E forms an Abelian group, with the 
point at infinity O as the neutral element, and we use © to denote the group 
operation. As usual we write every point P ^ O on E as P = (x(P), y{P)). 
For P = O we formally write P = (0, oo). 

Let E(Fg) denote the set of Fg-rational points on E. 

For a positive integer A^, points P,Q,R E E(Fq), and a non-zero vector 



c = (ci, . . . , Cfc) G F , define character sums of tlie form 

N 

S{P,Q-N) = J2x{x{nP)x{nQ)), 

n=l 

ni,...,nfe = l \j=l \ \j=l / 

where x is a quadratic character (we also put x(0) = 0) and ip is a nontrivial 
additive characters in Wg. 

D. Jao, D. Jetchev and R. Venkatesan [131 Conjecture 4.1] have conjec- 
tured that there exists a positive constant 6 > such that for any N > 
(logg)^ and any points P ^ Q the bound 

S{P,Q-N) = 0{N^~') 

holds. Towards this conjecture, it has been shown in [131 Section 4.2] that 
for any point Q G E(Fg), 

Y, S{P,Q-N) = 0{qN'l'). 
PeE(F,) 

This however does not imply that the sums S{P, Q; N) are typically, or even 
sometimes, small. Furthermore, the proof given in [TH] seems to hold only if 
the cardinality #E(Fq) is not divisible by any prime £ < N. Here we use a 
different argument and estimate the sum 

f/(iv)= Yl \SiP,Q;N)\^ 

P,QeE(F,) 

which immediately implies that the sums S{P, Q; N) are small for almost all 
pairs of points P,Q E E(Fg). 

We also estimate the average value of the sums Tfc(c, R; N) over points of 
subgroups Ti C E(Fq) of order t which is not divisible by any prime i < N. 
Namely for a subgroup H of the group of points E(Fg), we estimate the sum 



Vk{c,n;N) = Y\Tk{c,R;N)\' 
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which similarly implies that the sums Tk{c,R;N) are small for almost all 
points R E Ti. Note that subgroups of cryptographic interest are usually 
chosen to be of a prime order, so the coprimality condition gcd(A^!, #7^) = 1 
is always satisfied. 

In turn, in the case of prime q = p, we derive from our bound on 
\4(c, Ti] N) that for almost all points R G E(Fg), strings of i least significant 
bits of each components of the fc-dimensinal points 



ni,...,nfce {!,..., iV}, (2) 



are uniformly distributed (provided that ^Ti is large enough). We note that 
instead of strings of most significant bits (as suggested in [13]) we use least 
significant bits. This is because for some primes p (for those which are very 
close to a power of 2) most significant bits of random residues modulo p are 
biased, while least significant bits are always uniformly distributed. A step 
towards such a result is made in [THl Proposition 5.1] but it contains some 
parameters which are not explicitly estimated in |13j (and as we have just 
mentioned it cannot work for most significant bits anyway). 

Throughout the paper, the implied constants in symbols 'O' and '^' are 
absolute (we recall that U <t^ V and U = OiV) are both equivalent to the 
inequality \U\ < cV with some constant c > 0). 
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2 Preparations 

2.1 Backgrounds on division polynomials 

For an integer n > 0, let ipni^, ^) be the nth division polynomial of E over 
Wq given by ([1]), we refer to [19] for a background on division polynomials. 
Let 

fn = Xlpl - V'n-lV'n+1 and gn = i^l, 72 = 1, 2, ... . (3) 



In particular, /„ and Qn are polynomials in Fq[X] of degrees 

deg/n = n^ and deg5f„<n^-l, (4) 

such that 

Further, one can write 

„rY^_/^nW' if n is odd, ,. 

9n{^) I {X^ + aX + b)hl{X), if n is even, ^°'' 

for some polynomials hn{X) in Fg[X], n = 1,2, . . .. 

It is well known, and also follows from ([5]), that the roots of the polynomial 
Qn, for n > 2, are the a;-coordinates of ra-torsion points of E, that is, for all 
points P in E(Fg) with P ^ O, we have 

P= {x,y) GE[n] ^^ ^„(x) = 0, 

where, as usual, 

E[n] = {P : P e E(Fg), nP = O] . 

and Wq denotes the algebraic closure of Wq. 
We note that, if gcd(n, q) = 1, then 

E[n] = Z/nZ x Z/nZ. 

Moreover, if Wq is of characteristic p, then E[p] is isomorphic to Z/pZ or 
{O}. We recall that an elliptic curve E is called ordinary if E[p] = Z/pZ. 
It is called supersingular if E[p] = {O}. Furthermore, if p divides n, write 
n = p^n^ with gcd(p, ra*) = 1. Then 

E[n] = E[n,]®E[p'], 

where E[p''] = Z/p^'Z if E is ordinary and E[p^'] = {O} if E is supersin- 
gular. In particular, #E[n] = nn^, if E is ordinary and #E[n] = n^ if E is 
supersingular. 

Denote the set of n-division points of a point Q in E by E[n, Q], that is, 
E[n,Q] = {P : P eE(Wq),nP = Q} . 
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Clearly, nP = Q ii and only ii E[n,Q] = P ®E[n]. 

The following result shows that the roots of /„ are the x-coordinates of 
n-division points of a point Pq on E with x{Pq) = 0. 

Lemma 1. Let E be an elliptic curve overWq given by the equation (Qp. Let 
Pq = (0, c) G E(Fg), where c is a square root of b. Then, for all x G Fg, we 
have fn{x) = if and only if there exist a point P G E[n, Pq] with x{P) = x. 

Proof. Let x E Wg. Then, there exists an element y E Wg such that the 
point P = {x,y) is a point on E. If fn{x) = 0, then gn{x) 7^ 0. Moreover, 
from ([5]), we have x{nP) = 0. So, nP = Pq or nP = —Pq. Thus, nP = Pq or 
n{—P) = Pq, that is, either P = {x, y) or — P = (x, —y) is a point of E[?2, Pq]- 

If P = {x,y) G E[n,Po], then nP = Pq. So, x(nP) = x(Po) = 0. Next, 
from (|5]), we have /„(x) = 0. D 

Lemma 2. For all positive integers n = p^n^ with gcd{n^,,p) = 1, we have 

fn{Xy^, ifE is ordinary. 



fn{X)P , ifEis supersingular. 



„2r 



for some polynomial fn in Wq[X] with deg/„ = #E[?2]. 

Proof. We note that, for n = p'^n^, fn is a polynomial of X^"^ if E is ordi- 
nary (for example, see P, Lemma 2]). Moreover, /„ is a polynomial of X^ '' 
if E is supersingular (for example, see [B]). Recalling (jl]), we see that if E is 
ordinary, one can write /„ = fn{Xy\ for some polynomial fn in Fg[X] of 
degree p^n^"^. If E is supersingular, then fn = fn{Xy "" , for some polynomial 
fn in Fg[X] of degree n^'^. In other words, deg/„ = #E[n]. D 

Lemma 3. Ifb 7^ 0, then for all positive integers n the polynomial fn, defined 
by Lemma\^ is square-free. 

Proof. iFtoir Lemma [H we see that the roots of /„ are the x-coordinates of 
points of E[n, Pq]. Then, from Lemma [21 we also see that the roots of /„ are 
the x-coordinates of points of E[n, Pq]. We note that, for P G E[?7,, Pq], the 
point — P is in E[n, Pq] if and only if Pq = — Pq, that is, — P G E[ra, Pq] if and 
only if 6 = 0. So, if 6 7^ 0, all points of E[n, Pq] have distinct x-coordinates. 
We note that, #E[n, Pq] = #E[r7,]. Hence, the polynomial /„ has #E[n] 
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distinct roots. From Lemma |21 deg /„ = 7^E[n]. Therefore, if 6 7^ 0, the 
polynomial /„ is square-free. D 

We now define the rational functions 

UX)fn{X) 



^m,n\^ ) 



gm{X)gr,{Xy 

{X^ + aX + b)fUX)fniX) 



3 , „. , n. ..^..^^ (7) 



gmiX)gn{X) 



We need the following property of ^m,n and '^rn,n, which can be of inde- 
pendent interest. 

Lemma 4. //E is an ordinary elliptic curve with b y^ 0, then for all distinct 
positive integers m and n, neither ^m,n nor \E'm,n is a square of a rational 
function in Wq{X). 

Proof. From (j4]) and (J6]), we see that the difference of deg /„ and deg gn is odd. 
So, the difference between the degrees of the numerator and denominator of 
\l/m,n is odd. So, it cannot be a square of another rational function. 

For $m,n, first, we assume that m + n is even. From (jH]), we see that 
gmQn is a square. Let m = p'^m^, and n = p'^n^ with gcd(?7i,,n*,p) = 1. By 
Lemmas |5] and m we write fm = fm and /„ = f^", where the polynomials 
fm, fn are square-free. JVIoreover,^deg /^ = P^^*"^ and deg/„ = p^n^'^. So, 
for distinct m, n, deg/m 7^ deg/„. Thus, fmfn can not be a square of a 
polynomial in Fg[X]. The same is true for the product of fm and /„. Hence, 
^m,n can not be a square of a rational function. 

Now, we assume that m + n is odd. From (E]), we have gmQn = [X'^ + 
aX + b)h'^h'^. We recall that the roots of X^ + aX + b are corresponded to 
the x-coordinates of points of E[2]. Also, the roots of fm are corresponded 
to the x-coordinates of points of E[m, Pq]. Clearly the sets E[2] and E[m, Pq] 
have no common point if 6 7^ 0. Therefore, X^ + aX + b has no common 
root with fm and similarly with /„ where b ^ 0. So, again $m,n can not be 
a square of a rational function. D 



2.2 Exponential Sums Along Elliptic Curves 

We recall the following bound of character sums with a nontrivial additive 
character ip of IF^, which is given in [T7| . 

Lemma 5. Fix integers 1 < di < . . . < dg < D and fix Ci, . . . ,Cs G Wq 

with Cg ^ 0. Let E be an ordinary elliptic curve defined over Wg. Then the 
following bound holds: 

Qen \i=i J 

where 1-i is an arbitrary subgroup of E(Fq) of order t = ^Ti such that 

gcd(t, di- ■ -ds) = 1. 

3 Main Results 

3.1 Sums U{N) 

Theorem 6. For a prime power q with gcd(g, 6) = 1 and an ordinary elliptic 
curve E given by (J\) with b ^ 0, we have 

U{N) < N^q + Nq^ 

for every positive integer N . 

Proof. Expanding the square and changing the order of summation, we ob- 
tain 



N 

U{N) = X] XI x{x{mP)x{nP)x{raQ)x{nQ)) 

m,n=l p,QGE(IFq) 

2 



N 
■m,n=l 



^ x{x{mP)x{nP)) 
PeE(Fg) 



For n = m, we estimate the inner sum over P trivially as 0(g). Thus the 
total contribution to U{N) from such terms is 

U^=\N) = 0{Nq^). (8) 

If n 7^ m, as in [131 Section 4.2] we note that any m G Fg appears as 
u = x{P) for some point P G E(Fq) exactly 1 + xl"?^^ + au + b) times, where 
a and b are as in ([T]). Therefore, using (E]), we derive 

J2 X {x{mP)x{nP)) = ^ X i^mA^)) + J2 ^ i^^mA^)) > 
pge{f,) ueWq ugf, 

where the polynomials ^rn,n{-^) ^^^ ^^mA-^) ^^^ given by ([7]). 

Now, by Lemma HI we see that the Weil bound applies to both sums, 
see [121 Theorems 11.23], and together with (^ leads to the estimate 

Y^ X {x{mP)x{nP)) = O [N^q^'^) 
PeE(Fq) 

for n ^ m. Thus the total contribution to U{N) from such terms is 

f/(^)(iV) = O [n^ [N^q^'^f) = O [N^q) . (9) 

Combining (|8|) and iQ, we finish the proof. D 

Clearly, Theorem [6] improves the trivial bound U{N) <^ N'^q^ for A^ < 
q^/'^-^ with any fixed 5 > 0. This is well within the range of interest in [T3] 
which starts with N of order (logg)^. Furthermore, if A^ < q^/^ then the 
bounds takes the form U{N) <^ Nq'^, thus confirming that for almost all 
P,Q E E(Fq) the sums S{P, Q; N) have square root cancellations (see com- 
ments after [13, Conjecture 4.1]). 

3.2 Sums Vk{c,n; N) 

We note that an appropriate version of the results of this section holds for 
any q (in fact even without the condition gcd(g, 6) = 1). However, to make 
our argument more transparent, we assume that q = p is prime. It is exactly 
the case which is needed for our prime goal, which is studying the bit patterns 
of the vectors (^ . 
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Theorem 7. For a prime p, an ordinary elliptic curve E and a subgroup % 
o/E(Fp) of order t, uniformly over all non-zero vectors c E W^, we have 

Vfc(c, n; N) < fcAT V^' + kN^'^'h 
for all positive integers k and N with gcd{N\,t) = 1. 

Proof. Squaring out, expanding and changing the order of summation, we 
obtain 

N N 

V,{c,n;N)= Y. E 

mi,...,nj. = l ni,...,nfc=l 

E^ ( E^^^ ( ifl'^^ A - E^^^ ( ( n^O ^ 

(10) 

For 0{kN'^^~^) choices of mi, . . . ,772,^ and ni, . . . ,nk with at least one 
value equal to 1 we estimate the inner sum trivially as t. So the total con- 
tribution from such terms is 

Vi < kN'^^-H. (11) 

We say that the sequence of integers mi, ... , m^, rii, . . . , rifc > 2 is product 
distinct with respect to c the vectors 

(mi,mim2,. . .,mim2. . .mfc) and (ni,nin2, . . . ,ni?7.2 . . . n^) 

distinct at all positions j for which Cj G F* 

We see from Lemma [5] that if mi, . . . , m/;, ni, . . . , n^ > 2 is product dis- 
tinct with respect to c then the inner sum over R in fITU]) is O {kN'^^p^/'^^. 
Otherwise we estimate this sum trivially as 0{t). 

The total contribution from these terms is 

V2 < kN^^p^l'^ + Mt. (12) 

where M is the number of sequence of integers N > mi, . . . , m^, ni, . . . , n^ > 
2 which are not product distinct with respect to c. 
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To estimate M , we assume that Cj^ ^ 0. If all values of mi, . . . , rrik and 
all values of ni, . . . , n^, but rij^ are fixed, then Uj^ must satisfy the equation 

mi . . . m,jg = rii . . . rij^ 

and thus can take at most one possible value. Since jo takes k distinct values, 
the total contribution we get M < kN'^^~^ (the vector c = (1, 0, . . . , 0) shows 
that this bound cannot be improved). Substituting this bound in flT^ we 
obtain 

V2 < kN^^p^'^ + kN^^-H. (13) 

Combining flTTj) and flT3|) . we conclude the proof. D 



3.3 Applications 

We now address the question of ^13j on the distribution of bits of the vec- 
tors ^. 

Let now q = p he prime. We assume that Fp is represented by the 
elements of the set {0, 1, ... ,p — 1}. 

For a point R G E(Fp), positive integers fc, £, A^ and k bit strings 
(Ti, . . . , (Tfc of length a each, we use Ak/{R, N;ai,..., at) to denote the num- 
ber of times the least significant bits of the binary expansions of the compo- 
nents of the vectors ([2]) are ai, . . . , 0"^, respectively. It is natural to compare 
Ak^e{R,N;ai,...,ak) with 2-''^N''. Thus, for a subgroup "H C E(Fp), we 
consider the average deviation A^/iT-L, N) of Ak^i^R, N]ai, . . . ,ak) from its 
expected value: 



AkAn,N) = y] max \AkAR,N;ai, . . . ,ak) - 2~'''n'\ , 

where the maximum is taken over all 2^^ choices of k bit strings o"i, . . . , CTjt of 
length L 

Theorem 8. There is an absolute constant C > such that for a prime 
p > k, an ordinary curve E and a subgroup % o/E(Fp) of order t, uniformly 
over all non-zero vectors c G F^, we have 

AkA^-.N) < [N^^p^/H^/^ + N^-^'H) {Clogpf 
for all positive integers k, i and N with gcd{N\,t) = 1. 
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Proof. Clearly the binary expansion of x G Fp ends with an i-hit string a 
if and only if a; = 2^y + a, where a is the integer represented by a and the 
integer y is such that < y < {p — o")/2^. Alternatively, denoting by A G Fp 
the reciprocal of 2^, we obtain 

\(x -a) =y. 

We now define 

Lj= \{p-(fj)/2'] -1, j = l,...,k. 
We also recall the identity 

-L^M = |o, if.GF;. 

Therefore, for any fixed nontrivial additive character ip of Fp, we have 

Ak,e{R,N;ai,. . . ,ak) 

N Li Lk 

ni,...,nfc = l j/i=0 yk=0 



n ^ E ^ h f^^ i ffl^O ^j - ^^^ - ^^j ) 



J 

AT Li Lk 



ni,...,nfc = l yi=0 yk=0 



P , , , 



/ fc \ fc i, 

- 5^ Tfc(Ac, R; N)^ -A 5^ c.a, H E ^ (-^^-^^'^ 



ceiF^ \ i=i / i=i%=o 



p 



where the outer summation is taken over all vectors c = (ci, . . . , c^) G F^. 
Separating the term 

= 2-^^iV'^ + O (A^V^) , 
12 



corresponding to the zero-vector c = 0, we obtain 

|A,,,(i?,iV;ai,...,afc)-2-'=^iV^'| 

k 



p' 

ceiF^ i=i 

CT^O 






Furthermore, using that 

L 



V ip {-cy) < — ^- ^, 

^-^ 1 + mmjc, p — c^ 



which holds for c G Fp and a positive integer L, see [121 Bound (8.6)], we 
derive 

\AkAR,N;au...,ak)-2-^'N''\ 

k 

«iVV'+ E \TkiXc, R; N)\ll . / -. 

Since the right hand side of the last expression does not depend on o"i, ..., cTfc, 
we see that 

k 

^kA^.N) « Nhp-^ + V n . ^ / r V \n{\c,R-N)\ . 






Finally, using the Cauchy inequality and then applying Theorem [TJ we obtain 

Afe,,CH,iV) 

k 

« NHp-' + J2 VtVk{c,n;N)ll , . / ^ 
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We choose Cn such that 

1 

< Co log p. 



Er 



Taking C > Cq sufficiently large (to accommodate in C^ all other constants 
and also the factor k^^"^) we obtain 

Afc,,(H, AT) < [N^'^p'lH^I^ + Nhp'^ + N^-^'h) {C\ogpf. 

Furthermore, the condition gcd(A^!,t) = 1 implies that N < t = 0{p) thus 
]\[k^p-i ^ j\jk~i/2^^ Hence the term N^tp~^ can be omitted from the above 
bound, which concludes the proof. D 



We recall that in [13], it has been suggested to use the values A^ = 
(logp)*^''^^ Since cardinalities of elliptic curves of cryptographic interest are 
either prime or contain a very small smooth part (that is, a part composed 
out of small primes), it is natural to assume that the order t of the largest 
subgroup 1-L of E(Fp) with gcd(A^!,t) = 1 satisfies t ~ pi+°(i). In fact, as- 
suming only that t > p^l'^+^ for some fixed 5 > 0, we see that Theorem [H] 
is nontrivial provided kd, = o{logN) and asserts that for almost all points 
-R e "H, strings of i least significant bits of the vectors ([2]) are uniformly 
distributed. That is, for all 2''^ choices of k bit strings ai, . . . ,ak of length i 
for almost all points R E T-L, the counting function Ak/{R, N]ai, . . . , ak) is 
close to its expected value 2~^^N^ . 
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